AgentDB Memory Patterns
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS & REMOTE_CODE_EXECUTION (HIGH): The skill repeatedly instructs the user to run
npx agentdb@latest, which downloads and executes the latest version of an external package from an unverified source (ruvnet) at runtime. This provides a mechanism for arbitrary code execution if the package or the '@latest' tag is compromised. - COMMAND_EXECUTION (HIGH): The instruction to run
claude mcp add agentdb npx agentdb@latest mcppersists an external executable into the agent's Model Context Protocol (MCP) configuration. This allows an unverified external tool to influence the agent's actions and access its data environment persistently. - INDIRECT PROMPT INJECTION (HIGH): (Category 8) The skill's primary purpose is to ingest untrusted data (user messages, external facts) and store them as 'Memory Patterns' used in the agent's reasoning process.
- Ingestion points:
adapter.insertPattern,db.storeMessage, anddb.storeFactingest external content from conversations. - Boundary markers: None documented in the code snippets provided.
- Capability inventory: The skill possesses the ability to synthesize context and optimize memory decisions (
retrieveWithReasoning,optimizeMemory), which directly influences the agent's next steps based on injected data. - Sanitization: No evidence of sanitization or validation of the ingested 'pattern_data' or 'facts'.
- DYNAMIC EXECUTION (MEDIUM): The 'Learning Plugins' feature (e.g.,
create-plugin -t decision-transformer) suggests the dynamic generation or loading of executable logic based on templates, which may introduce unverified behavior into the agent's runtime environment.
Recommendations
- AI detected serious security threats
Audit Metadata